I came across CISA, CISAM, (these are highly paid jobs in UK, not sure about US) though iam not in security field, i intend to get into this line. I have over 10yrs exp in IT industry. Earlier had idea of doing CEH and go into pen tester, but when checking up other resource i feel CISA is intresting and would like to pursue CISM after gaining experience & CISA completion. Could someone guide or advice or shed light on IT Security auditing work nature?, Also my line of path is it good to go in this!

The security audit field is very broad and fortunately audit activities aren't restricted to just internal/external audit groups. In fact, you could consider pen testing activities to be an audit or assessment activity. There are also ample opportunities to implement control self-assessment activities in many organizations due to the ever-increasing regulatory requirements that a lot of businesses face.

My advice would be to perform comprehensive research on the topic and really decide what path you want to take (maybe both? ) The CISA focuses on the audit process and audit considerations, but is fairly high level when it comes to the technical details of assessment. The CEH training along w/ your IT background would be a good complement in designing test plans and performing analysis during fieldwork (also check out the IAM).

The job market seems to be good for IT auditors nowadays, especially those w/ security backgrounds. A piece of advice for college grads and others going in to IT - consider a few years with an internal IT audit group. You will get a broad view of the corporation and their IT functions, get in front of higher level people (great networking opportunity for the future), and hopefully learn about IT governance and how the business objectives should drive IT decisions.

I spent a little over a year in an IT audit shop after 4 years of security engineering work. I won't lie, the work was fairly mundane due to various constraints of the business - it all depends on what type of auditing you're allowed to do. It was, however, a great opportunity to round out some rough edges in terms of risk and control - very valuable experience in the security consulting work that I am now doing.

Regards,

Matt

Last edited by mdschmid on Tue Sep 25, 2007 9:20 am, edited 1 time in total.

The security audit field is very broad and fortunately audit activities aren't restricted to just internal/external audit groups. In fact, you could consider pen testing activities to be an audit or assessment activity. There are also ample opportunities to implement control self-assessment activities in many organizations due to the ever-increasing regulatory requirements that a lot of businesses face.

My advice would be to perform comprehensive research on the topic and really decide what path you want to take (maybe both? ) The CISA focuses on the audit process and audit considerations, but is fairly high level when it comes to the technical details of assessment. The CEH training along w/ your IT background would be a good complement in designing test plans and performing analysis during fieldwork (also check out the IAM).

The job market seems to be good for IT auditors nowadays, especially those w/ security backgrounds. A piece of advice for college grads and others going in to IT - consider a few years with an internal IT audit group. You will get a broad view of the corporation and their IT functions, get in front of higher level people (great networking opportunity for the future), and hopefully learn about IT governance and how the business objectives should drive IT decisions.

I spent a little over a year in an IT audit shop after 4 years of security engineering work. I won't lie, the work was fairly mundane due to various constraints of the business - it all depends on what type of auditing you're allowed to do. It was, however, a great opportunity to round out some rough edges in terms of risk and control - very valuable experience in the security consulting work that I am now doing.

Regards,

Matt

Hi Matt,

Thanks for ur brief message, I was planning to do CEH, but due to been longtime working in this dev & testing, i want to get into Security auditing type of roles, Again for CEH certification mandatory is i need security experience to get into the training & certification (training institutes in london said this), whereas felt thisSecurity auditing CISA, CISM, CISSP has wide scope to cover security work (only thing i need entry to the market which is tough even with CEH). OK coming to the point you have given as high level of technical details of assessment....!i couldnt understand what you mean or point to...could you shed more lights pls...

Regd IAM, i feel its not seen in UK.........i hope its based on US requirement....not sure.